mbedtls/library
Gilles Peskine 7ff812e0d7 Remove a secret-dependent branch in Montgomery multiplication
In mpi_montmul, an auxiliary function for modular
exponentiation (mbedtls_mpi_mod_exp) that performs Montgomery
multiplication, the last step is a conditional subtraction to force
the result into the correct range. The current implementation uses a
branch and therefore may leak information about secret data to an
adversary who can observe what branch is taken through a side channel.

Avoid this potential leak by always doing the same subtraction and
doing a contant-trace conditional assignment to set the result.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-06-09 11:50:44 +02:00
..
.gitignore
aes.c
aesni.c
arc4.c
asn1parse.c
asn1write.c Fix ASN1 bitstring writing 2019-02-11 21:10:48 +00:00
base64.c
bignum.c
blowfish.c
camellia.c
ccm.c
certs.c
cipher.c
cipher_wrap.c
cmac.c
CMakeLists.txt
ctr_drbg.c
debug.c Return from debugging functions if SSL context is unset 2018-08-23 14:57:39 +01:00
des.c
dhm.c
ecdh.c
ecdsa.c
ecjpake.c
ecp.c
ecp_curves.c
entropy.c
entropy_poll.c
error.c
gcm.c
havege.c
hmac_drbg.c
Makefile
md.c Merge branch 'development' into development-restricted 2018-01-25 17:28:31 +00:00
md2.c
md4.c
md5.c
md_wrap.c
memory_buffer_alloc.c
net_sockets.c
oid.c
padlock.c
pem.c
pk.c
pk_wrap.c
pkcs5.c
pkcs11.c
pkcs12.c
pkparse.c
pkwrite.c
platform.c
ripemd160.c
rsa.c
rsa_internal.c
sha1.c
sha256.c
sha512.c
ssl_cache.c
ssl_ciphersuites.c
ssl_cli.c
ssl_cookie.c
ssl_srv.c
ssl_ticket.c
ssl_tls.c
threading.c
timing.c
version.c
version_features.c
x509.c
x509_create.c
x509_crl.c
x509_crt.c
x509_csr.c
x509write_crt.c
x509write_csr.c
xtea.c